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The Honorable John Thune The Honorable Bill Nelson 
Chairman, Committee on Commerce, Ranking Member, Committee on 
Science, and Transportation Commerce, Science, and Transportation 
United States Senate United States Senate 
512 Dirksen Senate Office Building 512 Dirksen Senate Office Building 
Washington, DC 20510 Washington, DC 20510 

28 September 2018 


Examining Safeguards for Consumer Data Privacy 


Dear Chairman Thune and Ranking Member Nelson, 


Iam the CEO of Brave, a rapidly growing Internet browser, based in San Francisco. I am 
also the inventor of JavaScript, and co-founded Mozilla/Firefox. 


I write to commend the Committee on Commerce, Science, and Transportation for 
engaging with this most pressing issue. It is our view as a company born and based in 
the United States, and as leading technologists, that the new framework for privacy 
regulation in the European Union represents a model that should be followed here. 


I view the General Data Protection Regulation (GDPR) as a great leveller. The GDPR 
establishes the conditions that can allow young, innovative companies like Brave to 
flourish. 


As regulators broaden their enforcement of the new rules in Europe, the GDPR’s 
principle of “purpose limitation” will begin to prevent dominant platforms from using 
data that they have collected for one purpose at one end of their business to the benefit 
of other parts of their business in a way that currently disadvantages new entrants. In 
general, platform giants will need “opt-in” consent for each purpose for which they 
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want to use consumers’ data. This will create a breathing space for new entrants to 
emerge. 


The character of the GDPR is congruent with the United States’ understanding of 
privacy. Indeed, the primary principles of the GDPR are based on principles that the 
United States already endorsed in 1980, in the OECD Guidelines on the Protection of 
Privacy and Transborder Flows of Personal Data. These previously endorsed principles 
include a GDPR-like definition of “personal data”. It is also worth noting that many 
features of the GDPR have been sought by the FTC for over a decade. 


In the coming years, common GDPR-like standards for commercial use of consumers’ 
personal data will apply in the EU, Britain (post EU), Japan, India, Brazil, South Korea, 
Argentina, and China, for civil and commercial use of personal data. These countries 
account for 51% of global GDP. A common standard reduces friction and uncertainty, 
allowing companies from these countries to operate and innovate together with greater 
efficiency. A United States GDPR-like standard will ensure our position and 
competitive edge as leaders in technology and innovation in the global marketplace. 


The online media and advertising industry 


A GDPR-like standard in the United States will also establish the foundation of trust to 
enable innovation and growth. This certainly applies in our own online media and 
advertising industry. Contrary to some of our industry colleagues, I believe that it is not 
tenable for any platform, publisher, technology vendor, or trade body, to claim that 
they must track people in order to generate revenue from advertising. 


The enormous growth of ad-blocking by people across the globe (to 615 million active 
devices by late 2017) proves the terrible cost of inadequately regulating the 
tracking-based advertising system. Trust will only return as the GDPR-like laws begin 
to curtail the online advertising industry’s worst practices. 


The economic benefit of “behavioral tracking” to publishers’ businesses is questionable. 
The IAB, an ad targeting industry trade body, recently funded a lobbying study on “The 
economic value of behavioral targeting in digital advertising” that claimed that 
publishers (in Europe) rely on tracking for their advertising revenue. It is now public 
knowledge that a startling omission was at the heart of this report. Without any 
indication that it was doing so, the report combined Google and Facebook’s massive 
revenue from behavioural ad tech with the far smaller amount that actual publishers 
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receive from it. Inclusion of Google and Facebook revenues enormously and incorrectly 
inflated the benefit that publishers derive from permitting ad tech companies to surveil 
and profile their visitors. 


Political micro-targeting 


The GDPR is also an important regulatory tool to fight political micro-targeting, and the 
attendant issues of micro-targeting. Currently, a person browsing the Web is tracked 
across nearly every webpage they visit by “online behavioral advertising” (OBA), 
which leverages persistent data collection to select the ads that are displayed. There is a 
massive and systematic data breach at the heart of this system that causes web users’ 
personal data to be leaked in such a way that can be harvested by unscrupulous data 
brokers. It is highly likely that this contributes to micro-targeting user data profiles. 


Furthermore, so-called “dark ads” on websites, targeted using OBA, may be 
considerably less traceable than those served on social media, because the websites 
themselves are not aware of what ads they serve. Unlike Facebook, the OBA industry 
consists of a vast array of third party networks, operating behind the scenes with 
opaque processes, with no central authority to hold to account. 


For these reasons, I urge you to consider the GDPR as a model to pursue. I would be 
delighted to provide further information, or to meet and brief you, to assist in your 


deliberations. 


Sincerely, 





Brendan Eich 
CEO, Brave Software 
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